Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications have also been used to sign Android apps containing malware.

The biggest problem here is the fact that, are signed with the same platform certificate and assigned the highly privileged ‘android.uid.system’ user id, these apps will also gain system-level access to the Android device. Which mean that they can check and do much more than standard apps.

more:

https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/

List of hashes: https://bugs.chromium.org/p/apvi/issues/detail?id=100

Recommendations

Developer:

Check apps on your devices and do not install applications from untrusted sources.

QA engineer:

Check apps on your devices and do not install applications from untrusted sources.

PM/DM:

Check apps on your devices and do not install applications from untrusted sources. The play store review process time can be also extended.

Leave a comment

Leave a Reply